CN110460442A - A kind of key encapsulation method based on lattice - Google Patents
A kind of key encapsulation method based on lattice Download PDFInfo
- Publication number
- CN110460442A CN110460442A CN201910682004.5A CN201910682004A CN110460442A CN 110460442 A CN110460442 A CN 110460442A CN 201910682004 A CN201910682004 A CN 201910682004A CN 110460442 A CN110460442 A CN 110460442A
- Authority
- CN
- China
- Prior art keywords
- ring
- polynomial
- key
- integer
- mod
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/3026—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to polynomials generation, e.g. generation of irreducible polynomials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
Abstract
The key encapsulation method based on lattice that the invention discloses a kind of.This method chooses special b=α first, then calculates corresponding a, manufactures further compression to classical LWE encrypted body, provides a kind of fast and efficiently key encapsulation method based on lattice.The residual class ring Z being directed toj, when j is even number, chooseAs ring ZjRepresentative element.When j is odd number, chooseAs ring ZjRepresentative element;The open parameter N of selection, q, α and small coefficient polynomial f, the selection mode of g, e should ensure thatWith the establishment of very maximum probability, wherein | | gr+ef | |∞In the absolute value of all coefficients of representative polynomial gr+ef it is maximum that.
Description
Technical field
The invention belongs to field of information security technology, and in particular to a kind of key encapsulation method based on lattice.
Background technique
Public key encryption algorithm used at present, the construction of key encapsulation system are mainly based upon classical mathematical problem, example
Such as now widely used RSA public-key cryptosystem or Elliptic Curve Public Key Cryptosystems, the difficult mathematics relied on is asked
Topic --- the discrete logarithm problem on factoring problem or elliptic curve group.
Theoretically quantum algorithm can effectively solve the classical problems such as Integer Decomposition and discrete logarithm, so that existing public key is close
Code system security facing greatly threaten, therefore can resist quantum computer attack password (rear quantum cryptography) by
Extensive concern.According to the difference of bottom difficulty mathematical problem, rear quantum public key cryptography be can be mainly divided into: based on the close of lattice
Code, the password based on coding, the password based on Hash and the password based on multivariable.
For the public-key cryptosystem based on lattice, Regev proposes the public encryption system based on LWE problem within 2005
Afterwards, more and more cryptologists conduct in-depth research it.Specifically, the public encryption system based on LWE is general
It has the following structure, sender utilizes public key (a, the b=as+e of recipient1) message m is encrypted to obtain ciphertext (c1, c2),
Wherein c1=ar+ea,c2=br+eb+ Encode (m), Encode (m) are the codings to message m, most commonlyFinally
Recipient is using the private key s of oneself come to ciphertext decryption restoration message.In order to reduce ciphertext scale, it will usually to ciphertext c2It carries out
Compression.The most common method is by c2The low-order bit of each coefficient give up, only retain 2 to 3 high order bits, this is just needed
We select sufficiently large q to be compatible with this compression, to guarantee to decrypt accuracy.
In addition to the public encryption system based on lattice, key encapsulation mechanism and lattice cryptology based on lattice it is important in
Hold.In key encapsulation mechanism, sender runs an encapsulation algorithm and generates a session key and corresponding ciphertext,
The ciphertext is also referred to as session key encapsulation.Session key encapsulation is sent to recipient by subsequent sender.Recipient runs solution
Encapsulation algorithm obtains session key identical with sender.It is converted, can be incited somebody to action by classical Fujisaki-Okamoto (FO)
Key encapsulation mechanism with IND-CPA safety is converted to the key encapsulation mechanism with IND-CCA2 safety.
Summary of the invention
The key encapsulation method based on lattice that the purpose of the present invention is to provide a kind of.With classical LWE encryption system first with
Machine chooses a, then calculates corresponding b difference, then the present invention calculates corresponding a, to warp by choosing special b=α first
Allusion quotation LWE encrypted body manufactures further compression, provides a kind of fast and efficiently key encapsulation method based on lattice.
Residual class ring Z of the present inventionj, when j is even number, we are chosenAs ring Zj
Representative element.When j is odd number, we are chosenAs ring ZjRepresentative element.
A kind of key encapsulation method based on lattice, step include:
Step 1.1: key generation method: recipient chooses positive integer N first, and the integer q greater than 1, positive integer α makeIt chooses n times Root of Integer Polynomial F (x), enables ring Rq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn it is more
Xiang Shihuan, and by (N, q, α) and ring RqIt is disclosed as common parameter.Recipient selects ring RqIn small coefficient polynomial f, g, it is more
Item formula f will be in ring R as private keyqIn reversible, reciprocal representation f-1.Finally calculate public key h=f-1(g+α)mod q。
Step 1.2: packaging method: sender chooses ring RqIn small coefficient polynomial e, number less than N integral coefficient it is more
Formula r, wherein each component r of riIt is derived from ring Z「q/α」.Sender utilizes the public key h of recipient, calculates ciphertext c=hr+e mod
Q simultaneously sends it to recipient.Last sender's session key K=H (h, r, c);Wherein H () indicates certain open letter
Number.
Step 1.3: de-encapsulation method: recipient calculates d=fc mod using oneself private key f and the ciphertext c that receives
q.For each component d of di∈Zq, from riValue range in find integer li, so that | (di-liα) mod q | it is minimum, enable ri
=li;Wherein multinomialMultinomialdiRepresentative polynomial d is about monomial xiBe
Number, riRepresentative polynomial r is about monomial xiCoefficient, the value range of integer i is from 0 to N-1.Finally using obtained h, r,
C passes through function H (h, r, c) Lai Shengcheng session key K.
In step 1.1, small coefficient polynomial f, in g and step 1.2, the choosing method of small coefficient polynomial e can be with are as follows:
1) from binary polynomial setMiddle selection, wherein the coefficient value of binary polynomial is 0 or 1, and just
Having y coefficient well is 1, and wherein positive integer y is preset fixed value.
2) from trinary polynomial setMiddle selection, wherein the coefficient value of trinary polynomial be 0,1 or-
1, and having y coefficient just is 1, a coefficient of y ' is -1, and wherein positive integer y and y ' is preset fixed value;
3) from f1f2+f3It is chosen in the multinomial set of form, wherein f1, f2, f3From B (y) or T (y ', y ")
Middle selection, wherein positive integer y, y ', y " are preset fixed value.
In step 1.1, q and α can be enabled to meetIt is smaller, such as no more than 1, to guarantee decapsulation algorithm
The probability of success.
Step 1.1, the mod q in step 1.2 and step 1.3 indicates polynomial all coefficients being placed in Z by mould qq
In.
Step 1.1, polynomial multiplication operation all in step 1.2 and step 1.3 is all defined on ring RqOn.With it is general more
Item formula multiplication is different, ring RqOn polynomial multiplication first, in accordance with ZqAfter polynomial multiplication in [x] calculates product, Z is recycledq
Multinomial division algorithm in [x] finds out the product about the residue for removing formula F (x), and by residue as finant product.
To guarantee to decapsulate the probability of success of algorithm, the open parameter N chosen in step 1.1, q, α and small coefficient polynomial
The selection mode of f, g, e, should ensure thatWith the establishment of very maximum probability, wherein | | gr+ef | |∞Representative polynomial gr
In the absolute value of all coefficients of+ef it is maximum that.
It can use above-mentioned thought and directly construct public encryption system.Its step includes:
1) key generation method: method of the key generation process as described in step 1.1.The public key of recipient is h, and private key is
f。
2) encryption method: method of the sender as described in step 1.2, first calculating c1=hr+e mod q and K=H (h,
r,c1), c then is calculated to message m2=EK(m), wherein EkFor using K as certain encryption function of key, the ciphertext finally sent is
(c1,c2)。
3) decryption method: recipient utilizes private key f and ciphertext c1, it is last extensive if step 1.3 the method restores K first
Multiple message is m=DK(c2), wherein DKFor EKCorresponding decryption function.
If message m is ring RqIn multinomial, and each coefficient of m falls in Z「q/α」It is interior, message m can directly be done
For the r in step 1.2, the encryption mechanism of similar NTRU version is constructed.Its step includes:
1) key generation method: method of recipient's key generation process as described in step 1.1.The public key of recipient is h,
Private key is f.
2) be similar to the encryption method of NTRU version: sender chooses small coefficient polynomial e ∈ Rq, utilize m and recipient
Public key h, calculate ciphertext c=hm+e mod q simultaneously send it to recipient.
3) be similar to the decryption method of NTRU version: recipient calculates d=fc using private key f and the ciphertext c received
mod q.To each integer i, 0≤i≤N-1 enables di∈ZqIt is d about xiCoefficient, from miValue range in find integer li,
So that | (di-liα) mod q | it is minimum, to restore m 'i=li;The message finally recovered is (m '0,m′1,…,m′N-1)。
It is converted using FO, the key encapsulation mechanism with IND-CCA2 safety can be constructed, step includes:
1) key generation method: method of the key generation process as described in step 1.1.The public key of recipient is h, and private key is
f。
2) reach the packaging method of IND-CCA2 safety using FO transformation: it is more less than the integral coefficient of N that sender chooses number
Formula r, wherein each component r of riIt is derived from ring Z「q/α」, calculateWherein G () is pseudo random number hair
Raw device, D () indicate hash function, | | indicate concatenation, N-dimensional vectorAnd N-dimensional vector e is pseudorandom number generator defeated
Enter D (h) | | output when r.Using the public key h of recipient, calculates ciphertext c=hr+e mod q and sends it to recipient,
Sender ultimately generates session key
3) reach the de-encapsulation method of IND-CCA2 safety using FO transformation: recipient is restored using the method for step 1.3:
Restore multinomial r ' first.It is asked by pseudorandom number generator and hash functionFinally judge
Whether c and hr '+e ' mod q are equal, and session key is exported if equalOtherwise session key K is exported
=D (z | | c);Wherein z is secret polynomial fixed in advance.
Compared with prior art, the positive effect of the present invention are as follows:
By selecting special b=α, the multinomial b in LWE classics system public key is become into open integer α, to drop
Low public key scale, in addition, the low-order bit of br is all 0 for arbitrary r, therefore can directly be rejected, and not need
Very big q guarantees the correctness of algorithm, to further reduced public key scale and ciphertext scale.Furthermore the present invention can be seen
Work is the NTRU of high-order version, therefore it can be desirable to is had and NTRU in various aspects such as key scale, safety and application scenarios
The ability that encryption system compares favourably.
Detailed description of the invention
Fig. 1 is key generation method flow chart;
Fig. 2 is packaging method flow chart;
Fig. 3 is de-encapsulation method flow chart;
Fig. 4 is encryption method flow chart;
Fig. 5 is decryption method flow chart;
Fig. 6 is the encryption method flow chart similar to NTRU version;
Fig. 7 is the decryption method flow chart similar to NTRU version;
Fig. 8 is the packaging method flow chart for reaching IND-CCA2 safety using FO transformation;
Fig. 9 is the de-encapsulation method flow chart for reaching IND-CCA2 safety using FO transformation.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiments of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
Member's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
Referring to Fig. 1, Fig. 2 and Fig. 3, the present embodiment provides a kind of public-key cryptographic keys packaging method based on lattice, step packet
It includes:
Step 1.1: key generation method: recipient chooses odd prime N, even number q, positive integer firstChoose whole system
Number multinomial F (x)=xN- 1, enable ring Rq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn polynomial ring, and will (N,
Q, α) and ring RqIt is disclosed as common parameter.Recipient uniformly chooses ring R from trinary polynomial set T (y, y-1)qIn it is small
Coefficient polynomial f, g, until polynomial f is in ring RqIn it is reversible, it is inverse to be denoted as f using f as private key-1, and calculate public key h=f-1
(g+α)mod q。
Step 1.2: packaging method: sender is from number less than the independent choosing in ground uniformly random in the binary polynomial set of N
Multinomial e and r are taken, wherein the coefficient value of binary polynomial is 0 or 1.Sender utilizes the public key h of recipient, calculates ciphertext c
=hr+e mod q simultaneously sends it to recipient.Session key K=H (h, r, c) is finally calculated in sender;Wherein H
() indicates certain disclosed hash function.
Step 1.3: de-encapsulation method: recipient calculates d=fc mod using oneself private key f and the ciphertext c that receives
q.For each component d of di∈Zq, calculate integer li∈Z2, so that | (di-liα) mod q | it is minimum, enable ri=li;Wherein diTable
Show multinomial d about xiCoefficient, riRepresentative polynomial r is about xiCoefficient, the value range of integer i is from 0 to N-1.Last benefit
With obtained h, r, c, pass through function H (h, r, c) Lai Shengcheng session key K.
Step 1.1, the mod q in step 1.2 and step 1.3 indicates polynomial all coefficients being all placed in ZqIn.
Algorithm different editions are named with KEM-N, and wherein N is the number of multinomial F (x).The safety of association schemes and just
True property provides following two groups of parameters.
Table 1: major parameter is chosen
N | q | T (y, y-1) | |
KEM-587 | 587 | 1024 | T (196,195) |
KEM-1117 | 1117 | 1024 | T (374,373) |
It can use above-mentioned thought and directly construct encryption mechanism.Referring to Fig. 1, Fig. 4 and Fig. 5, step include:
1) key generation method: method of the key generation process as described in step 1.1.The public key of recipient is h, and private key is
f。
2) encryption method: sender chooses multinomial e ∈ Rq, the Root of Integer Polynomial r that number is less than N is chosen, wherein e
Each coefficient ei, each coefficient r of riIt is independent to be derived from Z uniformly randomly2.It is h using the public key of message m and recipient, calculates close
Literary c1=hr+e mod q;Enabling open function H () is H (a1,a2,a3)=a2, i.e. the output of H () is its second input,
Then temporary key K=H (h, r, c1)=r;Calculate ciphertextWhereinIt indicates xor operation, i.e., key is utilized to m
K=r takes the cipher mode of one-time pad to be encrypted;And by ciphertext (c1,c2) it is sent to recipient.
3 decryption methods: recipient utilizes private key f and ciphertext c1, calculate d=fc1mod q.For each component d of di∈
Zq, calculate integer li∈Z2, so that | (di-liα) mod q | it is minimum, enable ri=li;Wherein diRepresentative polynomial d is about xiBe
Number, riRepresentative polynomial r is about xiCoefficient, the value range of i is from 0 to N-1.The message finally restored is
When message m is ring RqIn multinomial, and each coefficient of m falls in Z2When interior, can by message m directly as
R in step 1.2 constructs the encryption mechanism of similar NTRU version.Referring to Fig. 1, Fig. 6 and Fig. 7, step include:
1) key generation method: method of the key generation process as described in step 1.1.The public key of recipient is h, and private key is
f。
2) be similar to the encryption method of NTRU version: sender chooses small coefficient polynomial e ∈ Rq, wherein each system of e
Number eiIt is independent to be derived from Z uniformly randomly2, using the public key h of message m and recipient, calculate ciphertext c=hm+e mod q and by its
It is sent to recipient.
3 are similar to the decryption method of NTRU version: recipient utilizes private key f and ciphertext c, calculates d=fc mod q.For
Each component d of di∈Zq, calculate integer li∈Z2, so that | (di-liα) mod q | it is minimum, enable m 'i=li;Wherein diIt indicates more
Item formula d is about xiCoefficient, the value range of i is from 0 to N-1.The message finally restored is m '=(m '0,m′1,…,m′N-1)。
It converts to obtain the key encapsulation mechanism with IND-CCA2 safety using FO, referring to Fig. 1, Fig. 8 and Fig. 9, step
Suddenly include:
1) key generation method: the public key of method recipient of the key generation process as described in step 1.1 is h, and private key is
f。
2) reach the packaging method of IND-CCA2 safety using FO transformation: the uniformly random number of choosing of sender is less than N's
Binary polynomial r is calculatedWherein G () is pseudorandom number generator, and D () indicates hash function,
| | indicate concatenation, N-dimensional vectorIt is the output of pseudorandom number generator.Calculate ciphertext c=hr+e mod q and by its
It is sent to recipient.Sender generates session key
3) reach the de-encapsulation method of IND-CCA2 safety using FO transformation: recipient utilizes the method for step 1.3 first
Restore multinomial r '.It is asked by randomizer and hash functionFinally judge c and hr '
Whether+e ' mod q is equal, and session key is exported if equalOtherwise export session key K=D (z |
|c);Wherein z is secret polynomial fixed in advance.
The above embodiments are merely illustrative of the technical solutions of the present invention rather than is limited, the ordinary skill of this field
Personnel can be with modification or equivalent replacement of the technical solution of the present invention are made, without departing from the spirit and scope of the present invention, this
The protection scope of invention should subject to the claims.
Claims (9)
1. a kind of key encapsulation method based on lattice, step include:
1) recipient chooses positive integer N, integer q and positive integer α greater than 1, so thatChoose n times Root of Integer Polynomial F
(x), ring R is enabledq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn polynomial ring, when q be even number when, chooseAs ring ZqRepresentative element, when q be odd number when, choose As
Ring ZqRepresentative element;And by (N, q, α) and ring RqIt is disclosed as common parameter;Then ring R is chosenqIn small coefficient polynomial f,
g;Wherein, polynomial f is as private key in ring RqIn be reversible;Calculate public key h=f-1(g+α)mod q;
2) sender chooses ring RqIn small coefficient polynomial e and number be less than N Root of Integer Polynomial r;Wherein, each of r points
Measure riIt is derived from ring Z「q/α」;Then the public key h for utilizing recipient calculates ciphertext c=hr+e mod q and sends it to recipient,
Sender's session key K=H (h, r, c);Wherein H () indicates open function;For ring Z「q/α」, when " q/ α " is even number
When, it choosesAs ring Z「q/α」Representative element, when " q/ α " be odd number when, chooseAs ring Z「q/α」Representative element;
3) recipient calculates d=fc mod q using oneself private key f and the ciphertext c that receives;For each component d of di∈
Zq, from riValue range in find integer li, so that | (di-liα) mod q | it is minimum, enable ri=li;Wherein multinomialMultinomialdiRepresentative polynomial d is about monomial xiCoefficient, riRepresentative polynomial r
About monomial xiCoefficient, the value range of i is from 0 to N-1;Finally using obtained h, r, c, come by function H (h, r, c)
Generate session key K.
2. the method as described in claim 1, which is characterized in that small coefficient polynomial f, the choosing method of g, e are as follows: more from binary
Item formula setMiddle selection, wherein the coefficient value of binary polynomial is 0 or 1, and having y coefficient is 1, wherein just
Integer y is preset fixed value.
3. the method as described in claim 1, which is characterized in that small coefficient polynomial f, the choosing method of g, e are as follows: more from ternary
Item formula setMiddle selection, wherein the coefficient value of trinary polynomial is 0,1 or -1, and having y coefficient is 1, y '
A coefficient is -1, and wherein positive integer y and y ' is preset fixed value.
4. the method as described in claim 1, which is characterized in that small coefficient polynomial f, the choosing method of g, e are as follows: from having
f1f2+f3It is chosen in the multinomial set of form, wherein f1, f2, f3It is chosen from B (y) or in T (y ', y "), wherein positive integer
Y, y ', y " are preset fixed value.
5. the method as described in claim 1, which is characterized in that q and α meets
6. method as claimed in claim 1 or 5, which is characterized in that
7. a kind of public key encryp, which is characterized in that including key production module, encrypting module and deciphering module;Wherein,
Key production module, for choosing positive integer N, integer q and positive integer α greater than 1, so thatChoose the whole system of n times
Number multinomial F (x), enables ring Rq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn polynomial ring, when q be even number when,
It choosesAs ring ZqRepresentative element, when q be odd number when, choose
As ring ZqRepresentative element;And by (N, q, α) and ring RqIt is disclosed as common parameter;Then ring R is chosenqIn small coefficient it is multinomial
Formula f, g;Wherein, polynomial f is as private key in ring RqIn be reversible;Calculate public key h=f-1(g+α)mod q;
Encrypting module, for choosing ring RqOn small coefficient polynomial e and number be less than N Root of Integer Polynomial r;Wherein, r
Each component riIt is derived from ring Z「q/α」;Then the public key h for utilizing recipient, calculates ciphertext c1=hr+e mod q, it is close to obtain session
Key K=H (h, r, c1);Wherein H () indicates open function;For ring Z「q/α」, when " q/ α " is even number, chooseAs ring Z「q/α」Representative element, when " q/ α " be odd number when, chooseAs ring Z「q/α」Representative element;Then message m is encrypted to obtain using key K
c2, the ciphertext finally obtained is (c1,c2);
Deciphering module, for utilizing private key f and ciphertext c1, calculate d=fc1mod q;For each component d of di∈Zq, from ri
Value range in find integer li, so that | (di-liα) modq | it is minimum, enable ri=li;Wherein multinomial
MultinomialdiRepresentative polynomial d is about monomial xiCoefficient, riRepresentative polynomial r is about monomial xi's
Coefficient, the value range of i is from 0 to N-1;Finally utilize obtained h, r, c1, pass through function H (h, r, c1) Lai Huifu session key
K finally recovers message m using session key K.
8. a kind of public key encryp, which is characterized in that including key production module, encrypting module and deciphering module;Wherein,
Key production module, for choosing positive integer N, integer q and positive integer α greater than 1, so thatChoose the whole system of n times
Number multinomial F (x), enables ring Rq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn polynomial ring, when q be even number when,
It choosesAs ring ZqRepresentative element, when q be odd number when, choose
As ring ZqRepresentative element;And by (N, q, α) and ring RqIt is disclosed as common parameter;Then ring R is chosenqIn small coefficient it is multinomial
Formula f, g;Wherein, polynomial f is as private key in ring RqIn be reversible;And calculate public key h=f-1(g+α)mod q;
Encrypting module, for choosing ring RqOn small coefficient polynomial e, then for ring RqIn message m, wherein each of m point
Amount all falls in Z「q/α」It is interior, ciphertext c=hm+e mod q is calculated using public key h;
Deciphering module, for calculating d=fc mod q using private key f and ciphertext c;For each component d of di∈Zq, from mi's
Integer l is found in value rangei, so that | (di-liα) modq | it is minimum, enable m 'i=li;Wherein diRepresentative polynomial d is about xi's
Coefficient, the value range of i is from 0 to N-1;The message finally restored is (m '0,m′1,…,m′N-1)。
9. a kind of key encapsulation method with IND-CCA2 safety, step include:
1) recipient chooses positive integer N, integer q and positive integer α greater than 1, so thatChoose n times Root of Integer Polynomial F
(x), ring R is enabledq=Zq[x]/F (x), wherein Zq[x] is residual class ring ZqOn polynomial ring, when q be even number when, chooseAs ring ZqRepresentative element, when q be odd number when, choose As
Ring ZqRepresentative element;And by (N, q, α) and ring RqIt is disclosed as common parameter;Then ring R is chosenqIn small coefficient polynomial f,
g;Wherein, polynomial f is as private key in polynomial ring RqIn be reversible;Calculate public key h=f-1(g+α)mod q;
2) sender chooses the Root of Integer Polynomial r that number is less than N, wherein each component r of riIt is derived from ring Z「q/α」, calculateWherein G () is pseudorandom number generator, and D () indicates hash function, | | indicate concatenation,
N-dimensional vectorAnd N-dimensional vector e is pseudorandom number generator in input D (h) | | output when r;Then the public key of recipient is utilized
H calculates ciphertext c=hr+e mod q, session key
3) recipient calculates d=fc mod q using oneself private key f and the ciphertext c that receives;For each component d of di∈
Zq, from riValue range in find integer li, so that | (di-liα) mod q | it is minimum, enable ri=li;Wherein multinomialMultinomialThen it is asked by pseudorandom number generator and hash functionFinally judge whether ciphertext c and hr+e ' mod q are equal, and session key is exported if equalOtherwise it exports session key K=D (z | | c);Wherein z is preset secret polynomial.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910584693 | 2019-07-01 | ||
CN2019105846936 | 2019-07-01 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110460442A true CN110460442A (en) | 2019-11-15 |
CN110460442B CN110460442B (en) | 2020-08-14 |
Family
ID=68483660
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910682004.5A Active CN110460442B (en) | 2019-07-01 | 2019-07-26 | Grid-based key encapsulation method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110460442B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112511170A (en) * | 2020-11-10 | 2021-03-16 | 南京航空航天大学 | Parallel implementation method for polynomial compression in lattice code |
CN113315628A (en) * | 2021-04-09 | 2021-08-27 | 中国科学院信息工程研究所 | Key packaging method, device, equipment and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090010436A1 (en) * | 2006-03-15 | 2009-01-08 | Gemplus | Decipherable searchable encryption method, system for such an encryption |
CN102970138A (en) * | 2011-08-29 | 2013-03-13 | 汤姆森特许公司 | Signcryption method and device and corresponding signcryption verification method and device |
CN107682140A (en) * | 2017-11-20 | 2018-02-09 | 中国科学院重庆绿色智能技术研究院 | The file encryption-decryption method of the anti-quantum attack for the low thermal expansion that multinomial point represents |
-
2019
- 2019-07-26 CN CN201910682004.5A patent/CN110460442B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090010436A1 (en) * | 2006-03-15 | 2009-01-08 | Gemplus | Decipherable searchable encryption method, system for such an encryption |
CN102970138A (en) * | 2011-08-29 | 2013-03-13 | 汤姆森特许公司 | Signcryption method and device and corresponding signcryption verification method and device |
CN107682140A (en) * | 2017-11-20 | 2018-02-09 | 中国科学院重庆绿色智能技术研究院 | The file encryption-decryption method of the anti-quantum attack for the low thermal expansion that multinomial point represents |
Non-Patent Citations (2)
Title |
---|
张永 等: "一种基于身份和密钥封装机制的加密方案", 《计算机工程》 * |
赵宗渠 等: "标准模型下格上的密钥封装机制", 《计算机科学与探索》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112511170A (en) * | 2020-11-10 | 2021-03-16 | 南京航空航天大学 | Parallel implementation method for polynomial compression in lattice code |
CN112511170B (en) * | 2020-11-10 | 2024-04-16 | 南京航空航天大学 | Parallel realization method for polynomial compression in lattice password |
CN113315628A (en) * | 2021-04-09 | 2021-08-27 | 中国科学院信息工程研究所 | Key packaging method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN110460442B (en) | 2020-08-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107135080B (en) | SM9 decryption method and device | |
CN111106936A (en) | SM 9-based attribute encryption method and system | |
CN102523093B (en) | Encapsulation method and encapsulation system for certificate-based key with label | |
CN104488218A (en) | Shared secret key generation device, encryption device, decryption device, shared secret key generation method, encryption method, decryption method, and program | |
CN110138543B (en) | Blind signcryption method under lattice public key cryptosystem | |
CN104168114A (en) | Distributed type (k, n) threshold certificate-based encrypting method and system | |
CN114124349B (en) | Rapid decryption method for homomorphic encryption scheme | |
CN113285959A (en) | Mail encryption method, decryption method and encryption and decryption system | |
CN105933101B (en) | A kind of full homomorphic cryptography public key compression method based on the offset of parameter high order | |
CN106941406B (en) | Identify-based encryption endorsement method, decryption sign test method and device thereof | |
CN110460442A (en) | A kind of key encapsulation method based on lattice | |
CN110474772A (en) | A kind of encryption method based on lattice | |
CN114095171A (en) | Identity-based wearable proxy re-encryption method | |
CN114362912A (en) | Identification password generation method based on distributed key center, electronic device and medium | |
CN108270565A (en) | A kind of data mixing encryption method | |
CN113315628B (en) | Key packaging method, device, equipment and storage medium | |
CN112907247B (en) | Block chain authorization calculation control method | |
Aganya et al. | Symmetric fully homomorphic encryption scheme with polynomials operations | |
Nalwaya et al. | A cryptographic approach based on integrating running key in feedback mode of elgamal system | |
CN113852465A (en) | SM 9-based hierarchical encryption method | |
Hussein et al. | An enhanced ElGamal cryptosystem for image encryption and decryption | |
Jasra et al. | Mapping images over elliptic curve for encryption | |
CN112668042A (en) | File encryption method | |
CN111865578A (en) | SM 2-based multi-receiver public key encryption method | |
Moldovyan et al. | Randomized pseudo-probabilistic encryption algorithms |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |